How shall the authorization server ensure that the calling client is a user-agent based app (i.e. a native app could impersonate an user-agent based app)?
In my opinion, enforcing explicit user consent is the only way to prevent this kind of attack. regards, Torsten. > -----Ursprüngliche Nachricht----- > Von: Marius Scurtescu [mailto:[email protected]] > Gesendet: Mittwoch, 11. Mai 2011 20:28 > An: Lodderstedt, Torsten > Cc: [email protected]; Doug Tangren > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten > <[email protected]> wrote: > > Hi Marius, > > > > wrt "auto-approval": how is the authorization server supposed to > validated the client's identity in a reliable way? Otherwise another > application (using the id of the legitimate client) could abuse the > authorization previously approved by the user as long as the session > with the authorization server is valid. The redirect_uri won't help for > all kinds of clients since a native app could use the correct > redirect_uri and nevertheless get access to the token. > > The only validation is based on the redirect URI. Native apps should > not use the implicit flow, and in general there is no need for > auto-approval for them. > > Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
